Medical devices at risk: 5 capabilities that invite danger

It isn't just certain connected medical devices that put patient data and physical safety at risk, it's specific capabilities and systems within which they operate that make them a broad, and vulnerable, attack surface.

And even if it hadn’t attacked specific devices, the encryption of everything in a hospital system could mean shutting down all devices that serve patients.

Also, those systems may be obsolete. The Trend Micro survey found that more than 3 percent of exposed devices still used Windows XP, the Microsoft operating system that the company no longer supports, which means it no longer receives security updates.

4. Holding patient data

Not all devices hold patient data, Domas said, but those that do are vulnerable to having that data compromised, since they generally communicate directly with the Electronic Health Records (EHR) system.

“There have been in-the-wild attacks on X-rays and PACS (Picture Archiving and Communication System),” Domas said, “some of which will contain a whole patient record.

“The devices are designed to talk to your records, so anything that compromises them will have a connection to the rest of the data on a patient.”

Gunawardhana agreed. “Pacemakers, insulin pumps, CT scanners, MRI machines and digital health records are at the greatest risk, given their interconnectivity to various medical platforms within the hospital setting,” she said. “There are many ways these devices could be hacked in which damage could be done to patients.”

5. Third-party connections

Clark said it is not so much the class of the device but its purpose. “Remote monitoring is becoming incredibly popular,” he said, because it helps existing staff oversee all the patients in hospitals where they might not be able to do it physically.

“But if they use third-party servers, there is a high level of risk,” he said.

Domas agreed, noting that “devices that need to phone home” depend on the security of that third party. “It punches a hole in your (the HDO’s) security,” she said, noting that this applies to any connection “that needs to leave the hospital.”

One example is devices in ambulances that connect with a server at the hospital, so doctors in the hospital can see when a patient arrives what was already done in the ambulance. “You want that information to get to the doctor,” she said, “so there are good reasons for the device to have that capability,” but it also means the communication is less secure than it might be inside the hospital system.

PCs within the hospital network could even be considered a “third party.” Camejo noted that many devices are controlled through PCs. “Even if the device itself isn’t vulnerable, “an attacker who takes over the PCs that administer these devices could gather passwords and then attack the devices directly,” he said.